Many commentators have suggested that a primary security risk is the fact that the data is transmitted in plain text. Encrypting over the wire is always a good idea but in reality “man-in-the-middle” attacks are extremely rare. I would worry primarily about the far more common cases of 1) someone (insider or outsider) stealing in the company’s database, 2) a government subpoena for the company’s database. The best protection against these risks is encrypting the data in such a way that hackers and the company itself can’t unencrypt it (or to not send the data to the servers in the first place).

I am wondering if there is any cold, hard, real world data to back up that assertion -- are "man in the middle" attacks actually rare in the real world, based on gathered data from actual intrusions or security incidents?

The original comment from Chris Dixon is confused. The big problem on the web today is eavesdropping not man-in-the-middle attacks. Said another way, the problem is that someone eavesdrops and figures out your Gmail/Hotmail/Yahoo! credentials then uses that to send spam behind your back not that they pretend to be Gmail/Hotmail/Yahoo! and you think you're sending an email but really you're typing your message on the attacker's server.
–
Dare ObasanjoFeb 22 '12 at 20:34

8 Answers
8

The top three threat action categories were
Hacking, Malware, and Social. The most common
types of hacking actions used were the use of
stolen login credentials, exploiting backdoors,
and man-in-the-middle attacks.

From reading that, I infer that it's a secondary action used once somebody has a foothold in the system, but the Dutch High Tech Crime Unit's data says it's quite credible for concern. Of the 32 data breaches that made up their statistics, 15 involved MITM actions.

Definitely don't stop there, though. That entire report is a gold mine of reading and the best piece of work that I've come across for demonstrating where threats are really at.

I would go further in saying that any instance of a SSL root coughing up a bad cert is a sign of an attack, otherwise they'd be pretty useless compromises. Finally, because I'm that guy, I would definitely try to splice into your network box outside the building if I were doing your pentest. One can do amazing things with a software radio even on a wired connection.

The simple answer is no - there is a wide variety of evidence that this type of attack is common.

Some of the controls brought in by banks (two factor authentication etc) were in part required to combat the ever more common MITM attacks on customers.

While there are other forms of attack (compromise of client is a good one) which may now be easier to carry out through the use of malware to place a trojan on the client PC, MITM is still relatively easy in most cases.

The core fact to remember is that criminals tend to work on a good return on investment. The ROI for an attacker is very good:

low risk of being caught

low physical risk

some effort in coding the exploit can lead to real world monetary gain

the code can then be reused or sold to other criminals

As @CanBerk said, we aren't ever going to get any 'completely secure' protocols, but making life harder for criminals is a partial solution. MITM will not go away until it is made too difficult to be profitable.

Use ARP Poisoning to attack the users. Not trivial unless you are on the same network as the targeted users using your webapp.

DNS Cache Poisoning. For this to work you need to poison the DNS being used by the targeted users. If the DNS is not properly set-up this attack becomes somewhat trivial to perform, however there is a lot to rely on for this to work.

Phishing attacks. These still fool the unsuspecting and naive users, however a lot of the responsibility lies on the user.

All this for just attack one or a small subset of users. Even then, attacking these users will give them a warning in their browsers (there is ways to attack this as well, but I am not taking that up here). Only by compromising a root CA or by finding a flaw in the algorithm used to generate the certificates would you be allowed to pose as a trusted certificate issuer.

If we on the other hand look at all the potential nasty stuff that we can see if we don't invest in enough security of the webapp itself we see attack vectors like:

SQL Injection - trivial and easy to both exploit and discover. Very high damage impact.

XSS (Cross Site Scripting) - easy to discover, harder to exploit. I think we will see higher and higher user impact from this in the future. I foresee this is becoming the "new SQL Injection" trend that we have been seeing back in the days.

CSRF (Cross Site Request Forgery) - Moderate to discover, moderate to exploit. This would require users navigating to an already owned site, triggering a request to your webapp which would do a transaction on the behalf of the user.

So by just mentioning these few, but popular methods for both attacking webapp and becoming MiTM I would leave it up to a specific risk/consequence analysis of the specific given organization you are trying to secure, whether or not you should defend your users directly by implementing SSL or by defending the webapp as a whole (which also include intellectual property, user data, sensitive data, potential data that could breach other applications, and so on).

So in my humble opinion I very much agree with Chris Dixon's statement. Prioritize securing the webapp as much as you can before you start thinking of securing the transport layer.

Edit:
On a side note: Pages like Facebook, Gmail and others were under heavy MiTM attacks during the wake of Firesheep. This could only be mitigated through SSL and awareness.

However if you think about it, sniffing wireless traffic with Firesheep and hijacking the sessions would require the wireless LAN you are connected to to not have any encryption.

When I go war-driving today it has dramatically decreased the number of open wireless AP's and also in the number of WEP enabled AP's. We keep seeing more and more WPA2 encrypted AP's which in most cases provide us with enough security.

Now what is the risk of someone creating a easy and convenient tool for sniffing and hijacking your users sessions? What is the impact for those users? It also could be mitigated in different ways (re-authenticating the user when coming from different footprints at the same time, notifying the user when something looks wrong (gmail is a good example of this)).

Yes, hubs exist, though I haven't seen them on typical networks yet. Imagine a testing lab where most of the users are blasé about security, administrators are blasé about web apps requiring that passwords or cookies be sent in the clear, hubs abound (for sniffing phones during testing—easier to set up than a switch with a mirror port), half the computers have two NICs, there's a publicly accessible patch panel, the lab is located in a shared building, and there are few access controls at the entrance. True story. I'd imagine there would be similar environments elsewhere.
–
pilonaOct 16 '13 at 23:31

It did not find any static or white paper that includes the real world data you wanted to have.

However, I would like to add that MitM attacks within companies happens daily and more than once. Several security vendors have solutions to scan encrypted traffic (for example, Palo Alto Networks) and at least the company I currently work for has activated this feature.

To do this, the firewall/proxy device is simply granted a certificate from internal Certificate Authority (CA) which is already trusted by all clients. When an application asks for a secure connection, the firewall/proxy device generates a new certificate for the target server on the fly and sent it to the client. Since the client trusts the internal CA, it also trusts the device certificate and will happily start a "secure" connection.

while that is man in the middle - it's a wee bit of a stretch to call it an attack...
–
Rory Alsop♦Feb 22 '12 at 21:32

I guess this depends on your point of view. As they see data they are not supposed to, I would qualify this as an attack. But you are right, from the administrators view this is can help ensuring network security and thus is not qualified as an "attack".
–
TeX HeXFeb 23 '12 at 20:12

I agree with daramarak that it'd be quite hard to find real world data on MitM attacks. One reason for that is, MitM attacks are by nature usually targeted at individuals, whereas attacks like DDoS or SQL injection are usually targeted at companies, organizations, etc.

Therefore, while we see a DDoS/injection/whatever report almost every day, information regarding MitM attacks are usually academic (e.g. "Twitter was DDoS'd!" vs. "SSL is vulnerable to MitM")

However, it should be noted that "rare" does not necessarily mean "hard." Most MitM attacks are arguably much easier to pull than most other types of attacks, and many protocols we use everyday are vulnerable to such attacks in one way or another, simply because it's quite hard to devise a protocol that's completely secure against MitM. This is in fact the case for most security problems, most solutions are "best effort" as opposed to "completely and absolutely secure."

Therefore, I think the main reason that MitM attacks are less common is that usually there's no need/incentive to perform one.

The problem is with codinghorror's question in the first place. Encrypting data via SSL is a good way to prevent eavesdropping which is a problem. A man-in-the-middle attack is an overly sophisticated attack whereas someone sniffing your email/Facebook/Twitter password over wi-fi is an attack that can be done by anyone with minimal technical skills with a off-the-shelf software.
–
Dare ObasanjoFeb 22 '12 at 20:19

2

I guess I don't see that as a problem with his question as much as a different question.
–
tzenesFeb 22 '12 at 20:50

Dare Obasanjo is addressing an issue brought up by Chris Dixon in the quote and not necessarily the question Jeff is asking. Chris Dixon is implying that being able to view clear text data as it goes between the source and destination is a MitM. I think a general word association (well... for me anyway) of a MitM attack is when someone intercepts and alters the data between source and destination. His implication is that viewing it is enough to be considered an attack. So if your ISP does any sort of packet inspection.. I guess he would consider that an attack.
–
SafadoFeb 22 '12 at 21:06

Well I guess if they were rare, nobody would compromise a CA, however we've seen a number of attempts and a few successes at this (suspects including Iran).

So I presume it has and will be done. Otherwise why would they bother compromising a CA. That's not the easiest task in the world. Why not directly attack your target?

That said, they may be rare. Anyone who compromises a CA is likely good enough to cover enough of their tracks so that we don't know the extent of their work. Truthfully I wouldn't put it past the US Government to have done the same thing domestically as well as overseas. I'd actually be surprised if they haven't. Supporting this is I can't recall ever reading that HTTPS got in the US Governments way. I do hear it periodically regarding Skype encryption, TrueCrypt or PGP disk encryption.